b' FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n                 Fiscal Year 2010\nEvaluation of the Social Security Administration\'s\n               Compliance with the\n  Federal Information Security Management Act\n                   A-14-10-20109\n\n\n\n\n                 November 2010\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o nfid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s\na n d o p e ra tio n s a n d pro te c t th e m a g a in s t fra u d , wa s te a n d a b u s e . We p ro vid e\ntim e ly, u s e fu l a n d re lia b le in fo rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls ,\nCo n g re s s a n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f Ins p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e pe n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la ting to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a ge nc y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a ge n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re ga rd in g e xis tin g a n d p rop o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a ge n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o pe ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p owe rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wha t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e while e nc o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                                SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      November 10, 2010                                                                 Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Fiscal Year 2010 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n           Federal Information Security Management Act (A-14-10-20109)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall security program and practices complied with the requirements of the Federal\n           Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2010. 1\n\n           BACKGROUND\n           FISMA provides the framework for securing the Government\xe2\x80\x99s information and\n           information systems. All agencies must implement the requirements of FISMA and\n           report annually to the Office of Management and Budget (OMB) and Congress on the\n           adequacy and effectiveness of their security programs. FISMA requires that each\n           agency develop, document, and implement an agency-wide information security\n           program. 2\n\n           OMB uses information reported pursuant to FISMA to evaluate agency-specific and\n           Government-wide security performance, develop the annual security report to\n           Congress, and assist in improving and maintaining adequate agency security\n           performance. OMB issued Memorandum M-10-15, FY 2010 Reporting Instructions for\n           the Federal Information Security Management Act and Agency Privacy Management, on\n           April 21, 2010. OMB continues to require that agencies use a Web platform,\n           CyberScope, to submit the annual FISMA report.\n\n           In the FY 2010 FISMA guidance, OMB stated that \xe2\x80\x9c[a]gencies need to be able to\n           continuously monitor security-related information from across the enterprise in a\n           manageable and actionable way\xe2\x80\xa6. To do this, agencies need to automate security-\n           related activities, to the extent possible, and acquire tools that correlate and analyze\n           security-related information. Agencies need to develop automated risk models and\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301.\n           2\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n\x0cPage 2 - The Commissioner\n\n\napply them to the vulnerabilities and threats identified by security management tools.\xe2\x80\x9d 3\nOMB also stated \xe2\x80\x9c[a]ny reporting should be a by-product of agencies\xe2\x80\x99 continuous\nmonitoring programs and security management tools.\xe2\x80\x9d 4 Agencies should provide direct\nfeeds from their security management tools to CyberScope. For those agencies that do\nnot have this ability, OMB will soon release a roadmap that will allow agencies to upload\ndata from security management tools to CyberScope. 5\n\nThis year, OMB instructed the Inspectors General (IG) to focus on their respective\nagency\xe2\x80\x99s management performance, in line with the requirements of FISMA. 6 The IGs\nwere asked to assess agency performance in 10 major FISMA programs.7 IGs were\nalso required to determine areas for significant improvement if any agency programs did\nnot have these key attributes.8\n\nSee Appendix B for OMB\xe2\x80\x99s 10 major FISMA programs and the required attributes for\neach program and Appendix C for additional background.\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s IG or an independent external auditor, as determined by\nthe agency\xe2\x80\x99s IG, to perform an annual, independent evaluation of the effectiveness of\nthe agency\xe2\x80\x99s information security program and practices. 9 SSA\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) contracted with Grant Thornton LLP (GT) to audit SSA\xe2\x80\x99s FY 2010\nfinancial statements.10 Because of the extensive internal control system review that is\ncompleted as part of that work, the OIG\xe2\x80\x99s FISMA requirements were incorporated into\nGT\xe2\x80\x99s financial statement information technology (IT) related work. This evaluation\nincluded the Federal Information System Controls Audit Manual (FISCAM) level reviews\nof SSA\xe2\x80\x99s financial-related information systems. GT also performed an \xe2\x80\x9cagreed-upon\nprocedures\xe2\x80\x9d engagement using FISMA, OMB, National Institute of Standards and\nTechnology (NIST) guidance, FISCAM, and other relevant security laws and regulations\n\n3\n OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, page 1, April 21 2010.\n4\n     OMB M-10-15, supra at page 2.\n5\n     Id.\n6\n     OMB M-10-15, supra at page 3.\n7\n     Id.\n8\n  OMB M-10-15, supra, requires all reporting through CyberScope, page 2. The OMB-specified attributes\nfor each program and the significant improvement examples are required to be posted on OMB\xe2\x80\x99s\nCyberScope Website, if necessary. The agency Chief Information Officers and IGs report through\nCyberScope.\n9\n    Pub. L. No. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3545(b)(1).\n10\n  OIG Contract Number GS-23F-8196H, December 3, 2009. FY 2010 option was exercised in\nDecember 2009.\n\x0cPage 3 - The Commissioner\n\n\nas a framework to provide information and documentation for the required OIG review of\nSSA\xe2\x80\x99s information security program, practices, and information systems. See\nAppendix D for more details on our Scope and Methodology.\n\nSUMMARY OF RESULTS\nBased on the results of OIG and GT\xe2\x80\x99s work, we determined that SSA\xe2\x80\x99s security\nprograms and practices generally complied with FISMA requirements for FY 2010;\nhowever, there were areas that needed improvement. SSA continues to work toward\nmaintaining a secure environment for its information and systems. For example, SSA\ncontinues to have consistent processes in a number of areas including, certification and\naccreditation (C&A), vulnerability remediation, security training, remote access,\ncontinuous monitoring, and account and identity management.\n\nAlthough the Agency continues to protect its information and systems, our FY 2009\naudit identified, and GT\xe2\x80\x99s FY 2010 financial statement audit identified, certain\ndeficiencies in internal controls that aggregated to a significant deficiency for financial\nstatement reporting. It should be noted that a financial statement significant deficiency\nin internal control does not necessarily rise to the level of a significant deficiency as\ndefined in FISMA. 11 The FY 2010 financial statement audit significant deficiency does\nnot rise to the level of a significant deficiency under FISMA because of other\ncompensating controls the Agency has in place, such as intrusion detection systems,\nguards, closed circuit televisions, automated systems checks, configuration\nmanagement, and firewalls.\n\nWe also noted that SSA needed to improve certain aspects of security over its systems\nand sensitive information. SSA should ensure\n\n\xe2\x80\xa2    implementation of effective change control and access control processes;\n\xe2\x80\xa2    full implementation of an oversight program for systems operated by contractors or\n     other entities on the Agency\xe2\x80\x99s behalf;\n\n\n\n11\n   The definition of a significant deficiency for financial statement internal control is provided by the\nStatement on Auditing Standards No. 115 (SAS 115) Communicating Internal Control-Related Matters\nIdentified in an Audit. SAS 115 states a significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. A material weakness is a deficiency, or combination\nof deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement\nof the entity\'s financial statements will not be prevented, or detected and corrected on a timely basis.\nOMB provided the definition of a significant deficiency under FISMA in its FY 2010 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy Management,\nApril 21, 2010, page 23 defines a significant deficiency as a weakness in an agency\xe2\x80\x99s overall information\nsystems security program or management control structure, or within one or more information systems\nthat significantly restricts the capability of the agency to carry out its mission or compromises the security\nof its information, information systems, personnel, or other resources, operations, or assets. In this\ncontext, the risk is great enough that the agency head and outside agencies must be notified and\nimmediate or near-immediate corrective action must be taken.\n\x0cPage 4 - The Commissioner\n\n\n\xe2\x80\xa2     protection of personally identifiable information (PII); 12\n\xe2\x80\xa2     proper incident handling and notification;\n\xe2\x80\xa2     continued improvement in its C&A process;\n\xe2\x80\xa2     continued improvement in its contingency planning;\n\xe2\x80\xa2     full implementation of its vulnerability remediation policy;\n\xe2\x80\xa2     employees and contractors receive security awareness and specialized security\n      training; and\n\xe2\x80\xa2     continued implementation of a continuous monitoring program.\n\nIMPLEMENTATION OF EFFECTIVE CHANGE CONTROL AND ACCESS CONTROL\nPROCESSES\n\nOMB Circular A-123 Significant Deficiency\n\nControlling and limiting systems access to the Agency\xe2\x80\x99s information systems and\nresources is the first line of defense in ensuring the confidentiality, integrity, and\navailability of the Agency\xe2\x80\x99s information resources. 13 Lack of adequate access controls\ncompromises the completeness, accuracy, and validity of the information in the system.\n\nIn FY 2009, our audit of SSA\xe2\x80\x99s financial statements identified a significant deficiency14 in\nthe Agency\xe2\x80\x99s control of access to its sensitive information. 15 In FY 2010, GT\xe2\x80\x99s audit of\nSSA\xe2\x80\x99s financial statements identified a significant deficiency in the Agency\xe2\x80\x99s change\ncontrol management and access to sensitive information. 16\n\nIn FY 2009, we reported that SSA needed to periodically recertify individuals\xe2\x80\x99 security\naccesses to Agency mainframe computers. 17 Moreover, a policy had not been\nestablished and consistently implemented Agency-wide to periodically reassess the\ncontent of security access to ensure employees and contractors are given least-\nprivilege accesses for their job responsibilities. Further, SSA was unable to consistently\n12\n   OMB, M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the\nCost for Security in Agency Information Technology Investments, page 1, July 2006, defines PII as any\ninformation about an individual maintained by an agency, including, but not limited to, education, financial\ntransactions, medical history, and criminal or employment history and information that can be used to\ndistinguish or trace an individual\'s identity, such as their name, Social Security number, date and place of\nbirth, mother\'s maiden name, biometric records, etc., including any other personal information that is\nlinked or linkable to an individual.\n13\n     SSA, Information Systems Security Handbook, Section 2.1.\n14\n     See Footnote 11.\n15\n  SSA OIG, Fiscal Year 2009 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (A-14-09-19047), November 2009.\n16\n   Grant Thornton LLP, Independent Auditor\xe2\x80\x99s Report on SSA\xe2\x80\x99s FY 2010 Financial Statements, November\n8, 2010.\n\n17\n     See Footnote 15.\n\x0cPage 5 - The Commissioner\n\n\nprovide evidence that Agency management reviewed security accesses or "profiles" 18 to\ndetermine whether system data, transactions, and resources for financially significant\napplications, systems, and related tools were in line with the concept of least privilege.\n\nIn FY 2010, GT identified the same issues we reported in FY 2009 and one new issue.\nSpecifically, GT found that (1) SSA did not consistently comply with policies and\nprocedures to reassess periodically the content of security access profiles; (2) some\nemployees and contractors had system access that exceeded the access required to\ncomplete their job responsibilities; and (3) certain mainframe configurations increased\nthe risk of unauthorized access. 19 Regarding the mainframe configuration issue that GT\nfound this year, GT reported that some of SSA\xe2\x80\x99s employees and contractors were\nprovided excessive access. 20 For example, an individual could have modified\ninformation or crashed the system. Once GT discovered the control weakness, SSA\ntook immediate action to resolve it. GT recommended that SSA implement a policy that\nwould require a periodic review of the content of the Agency\xe2\x80\x99s profiles and controls to\ntest and monitor configurations on the mainframe.\n\nAccording to the Office of the Chief Information Officer (OCIO), SSA has undertaken an\nIT project to address the access control weakness related to the significant deficiency.\nThis project, once implemented, will provide enhanced capabilities for reviewing,\napproving and documenting the justifications associated with access requests.\n\nFULL IMPLEMENTATION OF AN OVERSIGHT PROGRAM FOR SYSTEMS\nOPERATED ON THE AGENCY\xe2\x80\x99S BEHALF BY A CONTRACTOR OR OTHER\nENTITIES\n\nFISMA requires that agencies protect information collected or maintained by, or on\nbehalf of, agencies from unauthorized access, use, disclosure, disruption, modification\nor destruction. 21 Agencies\xe2\x80\x99 documented information security program should provide for\ninformation security for information and information systems provided or managed by\nanother agency, contractor, or other source (Contractor System). 22 OMB\xe2\x80\x99s FISMA\nguidance states that agency information security programs apply to all organizations\n(sources) that possess or use Federal information \xe2\x80\x93 or that operate, use, or have\naccess to Federal information systems (whether automated or manual) \xe2\x80\x93 on behalf of a\nFederal agency. 23 Federal security requirements continue to apply, and the agency is\n18\n  A profile is one of TOP SECRET\xe2\x80\x99s primary access control mechanisms. Each profile contains a unique\nmix of facilities and transactions that determines what access to systems resources that specific position\nneeds. TOP SECRET is a commercial access-control package modified to fit SSA\xe2\x80\x99s unique requirements\nand operating environment, provides security for SSA systems.\n19\n     SSA\xe2\x80\x99s FY 2010 Performance and Accountability Report.\n20\n   Additional details about this control weakness might further compromise SSA\xe2\x80\x99s information and\ninformation system, therefore, they are not provided in the report.\n21\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A)(i), 44 U.S.C. \xc2\xa7 3544(a)(1)(A)(i).\n22\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n23\n     OMB M-10-15, supra, Frequently Asked Questions, Question 36, page 13.\n\x0cPage 6 - The Commissioner\n\n\nresponsible for ensuring appropriate security controls.24 Agencies must also develop\npolicies for information security oversight of contractors and other users with privileged\naccess to Federal data. 25 In addition, FISMA requirements must be included in\ncontracts and, when applicable, in grant terms and conditions.26\n\nWe determined that SSA\xe2\x80\x99s Contractor System oversight program generally complied\nwith FISMA requirements for FY 2010. SSA\xe2\x80\x99s Contractor System oversight policy and\nprocedures are contained in several documents. SSA\xe2\x80\x99s Certification and Accreditation\nHandbook contains the required security tasks that apply to all systems including\nContractor Systems. SSA\xe2\x80\x99s Interconnection Approval Process Guide provides guidance\nfor planning, establishing, maintaining, and terminating interconnections between IT\nsystems that are owned and operated by non-SSA entities. SSA is also required to\ninclude the Federal security training and privacy requirements in all its services\ncontracts. 27\n\nAlthough SSA has a Contractor Oversight process, we identified some areas that\nneeded improvement. SSA lacks an Agency level contractor oversight policy in its\nInformation System Security Handbook to provide comprehensive guidance. In addition,\nSSA policy does not require that contract terms include all FISMA requirements. We\nalso found the following two issues with SSA\xe2\x80\x99s Contractor System oversight program.\n\n        SSA\xe2\x80\x99s Master System Inventory Contained All Systems But Did Not Identify\nContractor Systems. In FY 2010, we found three systems that met the definition of\nsystems \xe2\x80\x9coperated on the Agency\xe2\x80\x99s behalf by contractors or other entities\xe2\x80\x9d but not\nidentified as such in SSA\xe2\x80\x99s master inventory. These systems are Access to Financial\nInstitutions (AFI), operated by Accuity Inc.; 28 E2 Solutions, operated by the General\nServices Administration; 29 and Cyber Security Assessment and Management (CSAM), 30\noperated by the Department of Justice.\n\n\n\n\n24\n     OMB M-10-15, supra, Frequently Asked Questions, Question 36, page 14.\n25\n     Id.\n26\n     OMB M-10-15, supra, Frequently Asked Questions section, Question 39, page 16.\n27\n Social Security Administration\xe2\x80\x99s Acquisition Handbook, Section 0402 Federal Information Security\nManagement Act (FISMA) and Agency Privacy Management, October 2008.\n28\n  AFI is an electronic process to automatically verify financial account balances alleged by claimants and\nbeneficiaries during the Supplemental Security Income claims and redeterminations processes.\n29\n     E2 Solution is the travel system adopted by SSA.\n30\n  CSAM is SSA\xe2\x80\x99s FISMA tracking tool. CSAM enables the Agency and SSA\xe2\x80\x99s C&A Managers to gather\nsystem information and to create reports to support the FISMA assessment. SSA also uses CSAM for\nmanaging the identified weaknesses.\n\x0cPage 7 - The Commissioner\n\n\n       SSA Did Not Ensure that All Contractor Systems Met FISMA Requirements\nBefore Putting Them Into Operation. Agencies are required to provide security\nprotections for Contractor Systems.31 SSA had taken some steps to ensure that E2\nSolutions and CSAM had proper security controls. However, for AFI, SSA did not\nensure the contractor system met FISMA requirements before putting it into operation.\n\nOMB FISMA guidance states, \xe2\x80\x9cAgencies are fully responsible and accountable for\nensuring all FISMA and related policy requirements are implemented and reviewed and\nsuch must be included in the terms of the contract.\xe2\x80\x9d 32 Agencies must ensure all\nContractor Systems have identical security procedures as its own systems.33 For\nexample, annual reviews, risk assessments, security plans, control testing, contingency\nplanning and security authorization (C&A) must, at a minimum, explicitly meet NIST\nguidance. 34\n\nAccuity, Inc., has been a service provider to SSA since 2003. In 2003, SSA contracted\nwith Accuity, Inc., to create a Web-based system that allowed Agency offices to\nelectronically submit and receive Supplemental Security Income asset information. 35\nSSA conducted a limited proof of concept in 20 field offices in New York and New\nJersey in FY 2004. In FY 2005, SSA conducted a pilot in all 110 field offices in the 2\nStates. In November 2007, SSA decided to expand the system to California. In\nSeptember 2010, SSA expanded the pilot once again to 14 additional States. The AFI\napplication stores PII information. See Table 1 below.\n\n                                   Table 1: AFI Information Types\n                          Representative Payee Information\n                          Income Information\n                          Personal Identity and Authentication Information\n                          Entitlement Event Information\n                          Payments Information\n                          General Retirement and Disability Information\n                          Reporting and Information\n                          Survivor Compensation Information\n\n\n\n\n31\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n32\n     OMB M-10-15, supra, Frequently Asked Questions section, Question 38, pages 14-15.\n33\n     Id.\n34\n     Id.\n35\n  This is referred to as the e4641 Asset Verification System. SSA contracted with Accuity Solutions in\n2003 to develop the web-based system that automates the SSA-4641 consent form and handles the\nsending and receipt of bank account verifications. The system is owned by Accuity, Inc. The Form SSA-\n4641 is the Authorization For The Social Security Administration To Obtain Account Records From A\nFinancial Institution And Request For Records.\n\x0cPage 8 - The Commissioner\n\n\nBefore expanding the AFI pilot to 14 additional States, the Agency\n\n\xe2\x80\xa2    conducted a System Security Categorization Review to determine the system impact\n     level of AFI using federal guidance; 36\n\xe2\x80\xa2    performed a Risk Assessment (RA) using penetration testing techniques; and\n\xe2\x80\xa2    obtained a Statement on Auditing Standards (SAS) 70 report on AT&T\xe2\x80\x99s Web\n     hosting services. 37\n\nThe RA did not examine all security controls as required by NIST; as a result, it may not\nhave identified all security risks related to the AFI system. The AFI RA report listed only\n87 of the 170 baseline security controls required by NIST for a moderate impact\nsystem. 38 Of the 87, 40 controls were assessed. Of the 40 controls assessed, 17 were\nphysical security controls. The remaining 23 controls assessed resulted in13 security\nexceptions (1 high risk, 9 moderate risk, and 3 low risk) and more than a hundred of\nrecommended security setting changes. Accuity and SSA addressed many of these\nsecurity weaknesses immediately, but it is unclear what security risks SSA may be\nexposed to because of the security controls that were not assessed before the AFI pilot\nwas expanded.\n\nAccording to the OCIO, the AFI system is an important part of the agency\xe2\x80\x99s strategy to\nreduce improper payments and the expansion of the AFI pilot that occurred in\nSeptember 2010 represented a critical milestone. The timeframe between contract\naward and pilot expansion did not permit a full security authorization to be performed.\nOCIO staff stated that SSA had taken a risk-based approach to obtain a level of\nassurance before expanding the AFI pilot given the short timeframe. SSA believes its\napproach is acceptable and compliant with the NIST guidance. Additionally, the Agency\nplans to complete a full C&A by the end of December 2010.\n\nWe agree that SSA did perform some security-related activities, but the Agency should\nhave conducted a complete C&A or obtained C&A related information from other\nagencies doing business with Accuity before putting AFI into operation. To improve its\ncontractor system oversight program, we recommend SSA\n\n\n36\n   The review used NIST Special Publication (SP) 800-60, Guide for Mapping Types of Information and\nInformation Systems to Security Categories and Federal Information Processing Standard 199, Standards\nfor Security Categorization of Federal Information and Information Systems. The categorization is\nderived from identifying the types of information stored or created in the system and determining the\nexpected impact to SSA from a loss in confidentiality, integrity, and availability to the system or data.\n37\n   SAS No. 70, Service Organizations, is a widely recognized auditing standard developed by the\nAmerican Institute of Certified Public Accountants. A service auditor\'s examination performed in\naccordance with SAS No. 70 represents that a service organization has been through an in-depth audit of\nits control objectives and control activities, which often include controls over IT and related processes.\n38\n  NIST Special Publication 800-53, Revision 3, Online Database, lists the minimum security control\nbaselines for low-impact, moderate-impact, and high-impact information systems. AFI is a moderate\nimpact system. There are 170 controls listed as the minimum control baseline for a moderate impact\nsystem. The impact level of a system is referred to the security categorization, see Footnote 36.\n\x0cPage 9 - The Commissioner\n\n\n\xe2\x80\xa2     establish a separate chapter in its Information System Security Handbook to outline\n      all required security tasks for Contractor Systems Oversight according to OMB\n      requirements;\n\xe2\x80\xa2     require that contracts include Federal security requirements;\n\xe2\x80\xa2     ensure compliance with Federal requirements and Agency policy for Contractor\n      Systems Oversight; and\n\xe2\x80\xa2     complete the AFI C&A prior to further expanding AFI application to more States.\n\nPROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION\n\nFederal agencies must safeguard PII, 39 as required by the Privacy Act of 1974. 40 In\naddition, FISMA requires that agencies protect information collected or maintained by,\nor on behalf of, agencies commensurate with the risk and magnitude of harm from\nunauthorized access, use, disclosure, disruption, modification or destruction. 41 Further,\nOMB issued several memorandums42 on how Federal agencies should safeguard PII. 43\n\nSSA has established policies and procedures for PII protection and requires that its\nemployees be vigilant in safeguarding PII collected and maintained by the Agency in\nany format. However, we identified instances where SSA needed to improve its PII\nprotection.\n\nOur June 2010 report 44 stated SSA\xe2\x80\x99s Office of Disability Adjudication and Review\xe2\x80\x99s\n(ODAR) flexiplace 45 practices may have exposed claimant data to unauthorized\ndisclosure. 46 ODAR allowed flexiplace employees to remove PII stored on\n39\n     See Footnote 12.\n40\n     Pub. L. No. 93-579, as amended, \xc2\xa7 552a(e)(10), 5 U.S.C. \xc2\xa7 552a(e)(10).\n41\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(A)(i), 44 U.S.C. \xc2\xa7 3544(a)(1)(A)(i).\n42\n   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006;\nM-06-16, Protection of Sensitive Agency Information, June 23, 2006; M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, May 22, 2007; and M-06-19, Reporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments, July 12, 2006.\n43\n     See Footnote 12.\n44\n  SSA OIG, Controls Over the Flexiplace Program and Personally Identifiable Information at Hearing\nOffices (A-08-09-19079), June 2010.\n45\n  Flexiplace allows qualified ODAR staff to perform assigned work at a management-approved alternate\nduty station, which is typically their personal residence. As such, employees who participate in Flexiplace\ntake claimants\xe2\x80\x99 case files to their alternate duty stations. These case files can be in paper form or stored\non portable devices, such as compact discs and laptop computers, and generally include claimants\xe2\x80\x99 PII.\n46\n  OMB Memorandum M-06-16, Protection of Sensitive Agency Information, page 1, June 23, 2006,\nrecommends that agencies encrypt all data on mobile computers/devices that carry agency data unless\nthe data is determined to be non-sensitive. Agencies also need to log all computer-readable data\nextracts from databases holding sensitive information and verify each extract including sensitive data has\nbeen erased within 90 days or its use is still required.\n\x0cPage 10 - The Commissioner\n\n\nunencrypted 47 compact discs. In addition, ODAR employees did not always comply with\nSSA\xe2\x80\x99s preventative controls, such as locking claimant PII, when traveling to, or working\nat, an alternate duty station. We also determined that ODAR did not always identify the\nremoval, and confirm the return, of PII. We recommended that ODAR employees store\nelectronic PII on an encrypted and password-protected laptop when working Flexiplace,\nuntil a compact disc encryption solution for ODAR is developed. Furthermore, we\nrecommended that SSA reemphasize to ODAR employees the importance of complying\nwith all Agency PII policies and directives and consider implementing additional\nprocedures to account for the removal and return of PII.\n\nIn a November 2010 audit, 48 we reported computer hard drives awaiting disposal\ncontained PII. In April 2009, our testing found these hard drives were not properly\nsanitized, as required by NIST 49 and SSA policy. 50 In addition, SSA could not account\nfor the hard drives from some IT equipment awaiting disposal. These hard drives could\npotentially contain PII.\n\nAfter we notified SSA of this issue, it reported the loss of these hard drives to the United\nStates Computer Emergency Readiness Team (US-CERT). We made several\nrecommendations to improve SSA\xe2\x80\x99s IT media sanitization policies and procedures. We\nrecommended that SSA:\n\n\xe2\x80\xa2     designate one or more employees in each region who will certify and erase all\n      information from IT media;\n\xe2\x80\xa2     test a representative sample of sanitized IT media to ensure all data and programs\n      are effectively erased before disposal; and\n\xe2\x80\xa2     properly track IT media (that is, hard drives) through the sanitization and disposal\n      process.\n\nPROPER INCIDENT HANDLING AND NOTIFICATION\n\nOMB requires that PII and unauthorized access related security incidents be reported to\nthe US-CERT within 1 hour of discovery or detection. 51 In FY 2010, SSA reported\n\n\n47\n  Encryption is one method used to achieve security for data stored electronically. Encryption software\nconverts data into a secret code so they are not easily understood, except by authorized users.\n48\n   SSA OIG, The Social Security Administration\xe2\x80\x99s Controls for Ensuring the Removal of Sensitive Data\nfrom Excessed Computer Equipment (A-14-10-11003), November 2010.\n49\n  FISMA requires compliance with information security standards promulgated under \xc2\xa7 11331 of Title 40,\nwhich includes standards promulgated by NIST. Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7\n3544(a)(1)(B)(i), 44 U.S.C. \xc2\xa7 3544(a)(1)(B)(i). NIST recommends organizations sanitize information\nsystem media prior to disposal, release out of organizational control, or release for reuse. NIST SP 800-\n53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations,\nAugust 2009, Appendix F, page F-74.\n50\n     SSA, Information System Security Handbook, Section 10.3.1.\n51\n     OMB M-07-16, supra at page 10.\n\x0cPage 11 - The Commissioner\n\n\n80 percent of the PII incidents to US-CERT within 1 hour. In FY 2009, SSA only\nreported 35 percent of PII incidents to US-CERT within 1 hour. SSA has made great\nstrides to improve its PII incident reporting.\n\nOur FY 2009 FISMA report found that SSA conducted additional research to confirm the\nPII incident actually occurred. Because SSA sometimes delayed reporting, valuable\ntime was lost before law enforcement agencies and US-CERT were notified and could\nbegin their investigation. Further, since SSA waited to confirm a PII incident instead of\nimmediately reporting a suspected PII incident, the Agency did not comply with OMB\npolicy. 52\n\nAccording to SSA, in FY 2010, the Agency revised its policy and no longer required\nadditional research to confirm the PII incident actually occurred before reporting to\nUS-CERT. SSA\xe2\x80\x99s new policy is consistent with OMB guidance. 53 In addition, the OCIO\nis implementing an automated PII Loss Reporting tool that will enable SSA to report\nhigher percentage of PII incidents to US-CERT within 1 hour.\n\nIn FY 2009, we reported that SSA reported PII incidents to local law enforcement but\nnot to our Office of Investigations. In FY 2010, we identified the same condition.\nFISMA requires that agencies notify and consult law enforcement agencies and their\nOIGs regarding security incidents, as appropriate. 54 SSA provided 19 PII incidents that\nit stated were reported to law enforcement. We tested a sample of five incidents, and\nfound that SSA reported four and an SSA contractor 55 reported one to local law\nenforcement. However, our Office of Investigations did not receive any reports of PII\nincidents. Without receiving these referrals, the Office of Investigations could not\ndetermine whether these cases needed further investigation and therefore could not\nensure SSA resolved these incidents in a timely manner to minimize PII exposure.\n\nFurther, SSA\xe2\x80\x99s Incident Response policy and procedures do not provide guidance on\nwhat type of security incidents, and in what timeframe these incidents, are required to\nbe reported to the law enforcement and the OIG. NIST guidance states that one reason\nthat many security-related incidents do not result in convictions is that organizations do\nnot properly contact law enforcement. 56 \xe2\x80\x9cThe incident response team should become\nacquainted with its law enforcement representatives before an incident occurs to\ndiscuss conditions under which incidents should be reported to them, how the reporting\nshould be performed, what evidence should be collected, and how it should be\n\n\n52\n     Id.\n53\n     OMB M-07-16, supra.\n54\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(b)(7)(C)(i), 44 U.S.C. \xc2\xa7 3544(b)(7)(C)(i).\n55\n  SSA could not provide documentation to support that the contractor reported the PII incident to local\nlaw enforcement because the contractor did not provide documentation to SSA.\n56\n NIST SP 800-61, Computer Security Incident Handling Guide, Revision 1, Section 2.3.4.2, page 2-6,\nMarch 2008.\n\x0cPage 12 - The Commissioner\n\n\ncollected.\xe2\x80\x9d 57 For PII incidents, SSA\xe2\x80\x99s policy reminds the component managers that they\nmay need to take additional action, such as filing a report with IG. We believe the lack\nof guidance may have led to the findings discussed above.\n\nWe recommend SSA work with our Office of Investigations to establish policy and\nprocedures on what types of PII incidents should be reported to law enforcement and\nthe OIG and in what timeframes. As a result of these discussions, SSA should revise its\nPII reporting policy to document the types of PII incidents and timeframes that should be\nreported to law enforcement and OIG. In addition, we recommend SSA report all PII\nsuspected or confirmed breaches of PII to US-CERT within 1 hour and to the OIG within\nestablished timeframes.\n\nCONTINUED IMPROVEMENT IN CERTIFICATION AND ACCREDITATION\nPROCESS\n\nSSA had conducted C&A reviews 58 for its 21 major systems and applications in the past\n3 years, as required by FISMA. 59 To test SSA\xe2\x80\x99s compliance with OMB 60 and NIST 61\nguidance, we reviewed four of the eight major systems or applications certified in\nFY 2010. We found SSA\xe2\x80\x99s C&A program generally met the requirements of NIST 800-\n37. However, we found SSA\xe2\x80\x99s Security Assessment process needed improvement.\n\nAs reported in our FY 2008 and 2009 FISMA reports, SSA\xe2\x80\x99s security assessments were\nlargely based on less effective assessment methods, such as examinations and\n\n\n\n\n57\n     Id.\n58\n   According to NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems, May 2004, security certification is a comprehensive assessment of the\nmanagement, operational, and technical security controls in an information system, made in support of\nsecurity accreditation, to determine the extent to which the controls are implemented correctly, operating\nas intended, and producing the desired outcome with respect to meeting the security requirements for the\nsystem. Security accreditation is the official management decision given by a senior agency official to\nauthorize operation of an information system and to explicitly accept the risk to agency operations,\nagency assets, or individuals based on the implementation of an agreed-upon set of security controls.\n59\n  OMB guidance states, \xe2\x80\x9csecurity authorizations are required for all Federal information systems.\xe2\x80\x9d\nSection 3544(b)(3) of FISMA refers to \xe2\x80\x9csubordinate plans for providing adequate information security for\nnetworks, facilities, and systems or groups of information systems\xe2\x80\x9d and does not distinguish between\nmajor or other applications. OMB M-10-15, supra, Frequently Asked Questions, Question 25, page 9.\n60\n     Id.\n61\n     See Footnote 59.\n\x0cPage 13 - The Commissioner\n\n\ninterviews. 62 SSA made some improvements during the FY 2009 C&A process by\nsignificantly increasing the use of the test method 63 to assess the effectiveness of its\nsecurity controls. However, we did not see any further improvement in this area in\nFY 2010. Our FY 2010 review continued to identify a low percentage of controls were\nassessed by hands-on testing.\n\nThere were weaknesses related to access control, configuration management, and\nother areas tested that should have been identified in the C&A review process. For\nexample, GT\xe2\x80\x99s financial statement audit systems penetration and security testing\nidentified weaknesses in patch management, password rules, configuration\nmanagement and authentication.\n\nWe reiterate our FY 2009 recommendation that SSA continue to improve its C&A\nprocess by increasing the usage of the test assessment method.\n\nCONTINUED IMPROVEMENT IN ITS CONTINGENCY PLANNING\n\nIn our FY 2009 FISMA report, we reported that SSA needed to improve its long-term\nand comprehensive IT Strategic Planning process to address its future processing\nneeds, including its replacement project for the current National Computer Center\n(NCC). We also stated that SSA needed to address its ability to recover critical data\nprocessing operations in the event of disaster. We recommended that SSA use the\nsecond support center (SSC) as the disaster recovery site for the NCC.\n\nIn our 2010 Congressional Response Report: The Social Security Administration\xe2\x80\x99s\nDisaster Recovery Capabilities (Limited Distribution), we stated that SSA took steps to\nimprove its disaster recovery capability. SSA accelerated the use of the SSC as a\nbackup and recovery center and conducted an Accelerated Disaster Recovery\nEnvironment exercise to test the Agency\xe2\x80\x99s ability to recover completely from an NCC\ndisaster. We also reported that SSA would be able to restore the Agency\xe2\x80\x99s mission-\ncritical systems and non-mission-critical systems, with some gaps, should the NCC or\nSSC become unavailable.\n\nAlthough SSA improved its Contingency Planning, the Agency\xe2\x80\x99s disaster recovery goal\nof 24 hours did not meet the Federal requirement of 12-hour recovery time. 64 The\n62\n   NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems,\nJuly 2008, page 9, defined 3 security control assessment methods: examine, interview and test. The\nexamine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more\nassessment objects. The interview method is the process of conducting discussions with individuals or\ngroups of individuals within an organization to once again, facilitate assessor understanding, achieve\nclarification, or obtain evidence. The test method is the process of exercising one or more assessment\nobjects (i.e., activities or mechanisms) under specified conditions to compare actual with expected\nbehavior.\n63\n     Id.\n64\n   FCD 1, Federal Executive Branch National Continuity Program and Requirements, February 2008,\npage 7, defines Primary Mission Essential Functions as those functions that need to be continuously\nperformed during an event or resumed within 12 hours of an event, and that need to be maintained for up\nto 30 days after the event or until normal operations can be resumed.\n\x0cPage 14 - The Commissioner\n\n\nAgency would be able to perform manual processes within the first 12 hours, but this\nwould not meet the Federal Continuity Directive 1 (FCD 1) requirement. According to\nthe FCD 1, an organization\xe2\x80\x99s continuity capacity (its ability to perform essential functions\ncontinuously), rests on key components and pillars, which are in turn built on the\nfoundation of continuity planning and program management. The pillars are leadership,\nstaff, communications and technology, and facilities. 65 FCD 1 states communications\nand business systems, including hardware and software for continuity operations should\nmirror those used in day-to-day business to assist continuity leadership and staff in a\nseamless transition to crisis operations. 66\n\nSSA reported that the Accelerated Disaster Recovery Environment exercise, which\nexcluded systems and applications running at the SSC and systems that were\nredundant between the NCC and SSC, took 101hours (approximately 4 days) to recover\nSSA\xe2\x80\x99s mission-critical workloads. We recommend SSA continue improving its\ncontingency planning and disaster recovery capacity to meet Federal requirements.\n\nFULL IMPLEMENTATION OF ITS VULNERABILITY REMEDIATION POLICY\n\nFISMA requires that agencies implement an agency-wide information security program\nthat includes a process for planning, implementing, evaluating, and documenting\nremedial action to address any deficiencies in the Agency\xe2\x80\x99s information security\npolicies, procedures, and practices.67 OMB requires that agencies have a Plans of\nActions and Milestones (POA&M) process to manage their remediation of security\nvulnerabilities. 68 In FY 2009, we reported that some of the deficiencies in the Agency\xe2\x80\x99s\ninformation security policies, procedures, and practices were not tracked by CSAM, and\nsome Agency component quarterly remediation status reports were not provided to the\nOCIO. In FY 2010, SSA\xe2\x80\x99s components provided remediation status reports to the\nOCIO; however, SSA is still not tracking all information security deficiencies in CSAM.\n\nWe found that the POA&Ms for 11 high impact and 24 moderate impact security\ndeficiencies were not tracked in CSAM. These deficiencies and related remediation\nplans were not tracked because SSA\xe2\x80\x99s Office of Telecommunications and Systems\nOperations did not report them to the OCIO. If the deficiencies are not reported and\ntracked, the OCIO has no assurance the security vulnerability has been remediated.\n\nSSA should ensure all security deficiencies and their related remediation plans are\ntimely reported and properly tracked in CSAM.\n\n\n\n\n65\n     FCD 1, supra, page 3.\n66\n     FCD 1, supra, page 4.\n67\n     Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(b)(6), 44 U.S.C. \xc2\xa7 3544(b)(6).\n68\n OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones,\nOctober 17, 2001.\n\x0cPage 15 - The Commissioner\n\n\nEMPLOYEES AND CONTRACTORS RECEIVE SECURITY AWARENESS AND\nSPECIALIZED SECURITY TRAINING\n\nFISMA and OMB require that all agency personnel and contractors receive appropriate\nannual security awareness and specialized security training. 69 The Agency\xe2\x80\x99s policy\nstated that its approach to providing information security training to all SSA employees\nand systems users follows the guidelines in OMB Circular A-130, Management of\nFederal Information Resources, Appendix III, Security of Federal Automated Information\nResources, 70 which indicates that all individuals must be appropriately trained to fulfill\ntheir security responsibilities before they are granted access to agency systems.\nFISMA requires that each agency develop, document, and implement an agency-wide\ninformation security program. 71 NIST recommends agencies monitor the compliance\nand effectiveness of their security awareness training program. 72 An automated\ntracking system should be designed to capture key information regarding program\nactivity (for example, courses, dates, audience, costs, and sources). The tracking\nsystem should capture the data at an agency level so they can be used to provide\nenterprise-wide analysis and reporting regarding awareness, training, and education\ninitiatives. 73 In our FY 2009 FISMA review, we reported SSA\xe2\x80\x99s security awareness and\ntraining program had two deficiencies. These deficiencies were as follows.\n\n1. SSA did not have an effective process to confirm that all users with log-in privileges\n   completed annual security awareness training before accessing the Agency\xe2\x80\x99s\n   systems.\n2. SSA did not have an effective process to monitor compliance and effectiveness of\n   the security awareness and specialized security training program.\n\nIn FY 2010, we continue to observe the same weaknesses. In addition, we identified\nthat SSA\xe2\x80\x99s Security Awareness and Training policy did not provide guidance for\ndetermining the training needs for its employees with significant security\n\n69\n  OMB M-10-15, supra at page 15, states \xe2\x80\x9c\xe2\x80\xa6the agency is responsible for ensuring the contractor\npersonnel receive appropriate training (i.e., user awareness training and training on agency policy and\nprocedures).\xe2\x80\x9d Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(a)(4) requires each agency head to\nensure that the agency has trained personnel sufficient to assist the agency in complying with the\nrequirements of this subchapter and related policies, procedures, standards, and guidelines. OMB\nM-07-16, Attachment 1 \xc2\xa7 A.2.d states, \xe2\x80\x9cAgencies must initially train employees (including managers) on\ntheir privacy and security responsibilities before permitting access to agency information and information\nsystems. Thereafter, agencies must provide at least annual refresher training to ensure employees\ncontinue to understand their responsibilities. Additional or advanced training should also be provided\ncommensurate with increased responsibilities or change in duties.\xe2\x80\x9d\n70\n     Section A.3.a.2.b.\n71\n     Pub. L. No. 107-347, Title III, Section 301(b) \xc2\xa7 3544(b), 44 U.S.C. \xc2\xa7 3544(b).\n72\n  NIST SP 800-50 Building an Information Technology Security Awareness and Training Program,\nOctober 2003, page ES-1 states, \xe2\x80\x9cWithin agency IT security program policy, there must exist clear\nrequirements for the awareness and training program.\xe2\x80\x9d\n73\n     NIST SP 800-50, supra at section 6.1.\n\x0cPage 16 - The Commissioner\n\n\nresponsibilities.74 Further, we could not test whether SSA\xe2\x80\x99s employees with significant\nIT security responsibilities had appropriate training because the Agency did not maintain\ndocumentation of such training. Without guidance for determining and documenting\ntraining needs, the Agency cannot ensure that employees with significant security\nresponsibilities receive proper specialized security training for their job responsibilities.\n\nSSA stated that all employees and contractor personnel received appropriate security\nawareness and specialized security training. However, in a sample of 30 employees\nwith significant IT responsibilities, the Agency could only provide evidence that\n24 employees received specialized training. We also found that 5 out of 20 new hires in\nour sample accessed SSA\'s systems before they received security awareness training.\n\nWe continue to recommend SSA develop a system or process that adequately confirms\nall users with log-in privileges complete annual security awareness training. Further,\nSSA needs to establish an automated tracking system to create, review, and maintain\nsecurity awareness training records for all employees and contractors as evidence of\ncompliance with OMB A-130, FISMA, and NIST guidelines.\n\nIn addition, we recommend SSA provide additional guidance for determining the training\nneeds for its employees with significant security responsibilities and require retention of\ndocumentation for such training.\n\nCONTINUOUS MONITORING PROGRAM STATUS FOR MEETING OFFICE OF\nMANAGEMENT AND BUDGET REQUIREMENT TREND\n\nTo date, SSA has complied with the OMB and NIST requirements for its continuous\nmonitoring program. The continuous monitoring process consists of three tasks:\n(i) configuration management and control; (ii) security control monitoring; and (iii) status\nreporting and documentation. The purpose of this process is to provide ongoing\noversight and monitoring of the security controls in the information system and inform\nthe authorizing official when changes occur that may impact the system\xe2\x80\x99s security. The\nactivities in this process are performed throughout the life cycle of the information\nsystem. Reaccreditation may be required because of specific changes to the\ninformation system or because Federal or agency policies require periodic\nreaccreditation of the information system. 75\n\n\n\n\n74\n   SSA defined its employees with significant security responsibilities as \xe2\x80\x9cEmployees with high levels of\naccess to sensitive data who could affect agency-wide operations and/or who perform security,\ninvestigative, or auditing activities on a frequent basis. Personnel in these roles have significant access\nto sensitive information, such as social security records, medical records, business confidential\ndocuments, and other personally identifiable information, which needs to be protected against\nunauthorized access; fraudulent activities; and inappropriate disclosure and modification.\xe2\x80\x9d\nSSA, Information Systems Security Handbook, Appendix H, Security Training.\n75\n   NIST SP 800-37, supra. NIST issued a revised guidance February 2010 and agencies have 1 year to\nfully implement the changes in the revised guidance.\n\x0cPage 17 - The Commissioner\n\n\nIn its FY 2010 FISMA guidance, OMB stated that \xe2\x80\x9c[a]gencies need to be able to\ncontinuously monitor security-related information from across the enterprise in a\nmanageable and actionable way\xe2\x80\xa6. Agencies need to develop automated risk models\nand apply them to the vulnerabilities and threats identified by security management\ntools.\xe2\x80\x9d 76 OMB also stated \xe2\x80\x9cany reporting should be a by-product of the agencies\xe2\x80\x99\ncontinuous monitoring programs and security management tool.\xe2\x80\x9d77\n\nTo meet OMB\xe2\x80\x99s future continuous monitoring requirements, SSA reported it has\nprocured consulting services to assist in developing a continuous monitoring strategy\nthat includes evaluating the Agency\xe2\x80\x99s current tools and methods in surveillance and\nexternal reporting. Per SSA, its contractor will identify existing technical solutions that\nprovide near real-time capabilities that the Agency will be able to leverage for internal\nsystems security decisions and external reporting. The contractor is also to recommend\nadditional automated tools, procedures, and/or enhancements to maximize SSA\xe2\x80\x99s\ncapabilities to this end.\n\nWe commend SSA\xe2\x80\x99s proactive efforts to develop a continuous monitoring program that\nmeet or exceed OMB and NIST requirements. We encourage SSA to continue its\nefforts to meet OMB\xe2\x80\x99s requirements in a timely manner.\n\nCONCLUSIONS AND RECOMMENDATIONS\nBased on the results of OIG and GT\xe2\x80\x99s work, we determined that SSA\xe2\x80\x99s security\nprograms generally complied with FISMA; however, some improvements were needed.\nSSA continues to work with us to identify ways to comply with FISMA. The Agency\ncontinues to develop, implement, and operate security controls to protect its sensitive\ndata, assets, and operations.\n\nIn our prior FISMA reports, we identified similar issues related to SSA\xe2\x80\x99s (1) computer\nsecurity program, (2) access controls, (3) strategic planning, (4) protection of PII,\n(5) vulnerability remediation process, (6) employee and contractor security awareness\ntraining, (7) incident reporting, and (8) C&A process. We affirm our prior\nrecommendations in these areas and encourage the Agency to fully implement these\nrecommendations.\n\n\n\n\n76\n     OMB M-10-15, supra at page 1.\n77\n     OMB M-10-15, supra at page 2.\n\x0cPage 18 - The Commissioner\n\n\nSSA should continue to strengthen its overall security program and practices and\nensure future compliance with FISMA and other information security related laws and\nregulations; therefore, we recommend SSA:\n\n1. Continue to implement security controls to resolve the significant deficiency\n   identified in this report.\n2. Establish a separate chapter in its Information Systems Security Handbook to outline\n   all required security tasks for Contractor Systems Oversight according to OMB\n   requirements.\n3. Require that contracts include Federal security requirements.\n4. Ensure compliance with the Federal requirements and Agency\xe2\x80\x99s policy for\n   Contractor Systems Oversight.\n5. Complete the AFI C&A prior to further expanding AFI application to more States.\n6. Work with the OIG Office of Investigations to establish policy and procedures on\n   what types of PII incidents should be reported to law enforcement and the OIG and\n   in what timeframes.\n7. Revise its policy, guidance, procedures, and timeframes for reporting of PII incidents\n   to law enforcement, including the OIG.\n8. Ensure all PII incidents are reported to US-CERT and the OIG within the established\n   timeframes.\n9. Provide additional guidance for determining the training needs for its employees with\n   significant security responsibilities, require retention of documentation for such\n   training, and establish guidance to assess the effectiveness of its security training\n   program.\n\n\n\n\n                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General Response to Annual Federal Information\n             Security Management Act of 2002 Reporting Inspector General\n             Questions\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Certified and Accredited Systems\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                   Appendix A\n\nAcronyms\nAFI                 Access to Financial Institutions\nC&A                 Certification and Accreditation\n                    Systems Operated on Agency\xe2\x80\x99s Behalf by a Contractor or Other\nContractor System\n                    Entities\nCSAM                Cyber Security Assessment and Management\nFCD                 Federal Continuity Directive\nFISCAM              Federal Information System Controls Audit Manual\nFISMA               Federal Information Security Management Act of 2002\nFY                  Fiscal Year\nGT                  Grant Thornton LLP\nIG                  Inspector General\nIT                  Information Technology\nNCC                 National Computer Center\nNIST                National Institute of Standards and Technology\nOCIO                Office of the Chief Information Officer\nODAR                Office of Disability Adjudication and Review\nOIG                 Office of Inspector General\nOMB                 Office of Management and Budget\nPII                 Personally Identifiable Information\nPub. L. No.         Public Law Number\nPOA&M               Plan of Action and Milestones\nRA                  Risk Assessment\nSAS                 Statement on Auditing Standards\nSP                  Special Publication\nSSA                 Social Security Administration\nSSC                 Second Support Center\nU.S.C.              United States Code\nUS-CERT             United States Computer Emergency Readiness Team\n\x0c                                                                                   Appendix B\nOffice of the Inspector General Response to Annual Federal Information\nSecurity Management Act of 2002 Reporting Inspector General Questions\n\n           Annual FISMA Reporting Inspector General Questions\n    Agency Name: Social Security Administration                                Submission date: 11/15/10\n\n                      Section 1: Status of Certification and Accreditation Program\n\n                    a. The Agency has established and is maintaining a certification and accreditation\n                    program that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\n                    Although improvement opportunities may have been identified by the OIG, the program\n                    includes the following attributes:\n                       1. Documented policies and procedures describing the roles and responsibilities of\n                          participants in the certification and accreditation process.\n                       2. Establishment of accreditation boundaries for agency information systems.\n                       3. Categorizes information systems.\n                       4. Applies applicable minimum baseline security controls.\n                       5. Assesses risks and tailors security control baseline for each system.\n                \xe2\x88\x9a      6. Assessment of the management, operational, and technical security controls in the\n                          information system.\n1. Check one:          7. Risks to Agency operations, assets, or individuals analyzed and documented in the\n                          system security plan, risk assessment, or an equivalent document.\n                       8. The accreditation official is provided (i) the security assessment report from the\n                          certification agent providing the results of the independent assessment of the\n                          security controls and recommendations for corrective actions; (ii) the plan of action\n                          and milestones from the information system owner indicating actions taken or\n                          planned to correct deficiencies in the controls and to reduce or eliminate\n                          vulnerabilities in the information system; and (iii) the updated system security plan\n                          with the latest copy of the risk assessment.\n                    b. The Agency has established and is maintaining a certification and accreditation\n                    program. However, the Agency needs to make significant improvements as noted below.\n                    c. The Agency has not established a certification and accreditation program.\nComments: SSA should continue to improve the effectiveness of its security assessments by increasing the\nnumber of controls assessed by the \xe2\x80\x9ctest\xe2\x80\x9d method rather than the \xe2\x80\x9cinterview\xe2\x80\x9d and \xe2\x80\x9cexamine\xe2\x80\x9d methods.\n                        Section 2: Status of Security Configuration Management\n                    a. The Agency has established and is maintaining a security configuration management\n                    program that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\n                    Although improvement opportunities may have been identified by the OIG, the program\n                    includes the following attributes:\n                       1. Documented policies and procedures for configuration management.\n2. Check one:   \xe2\x88\x9a      2. Standard baseline configurations.\n                       3. Scanning for compliance and vulnerabilities with baseline configurations.\n                       4. FDCC baseline settings fully implemented and/or any deviations from FDCC\n                          baseline settings fully documented.\n                       5. Documented proposed or actual changes to the configuration settings.\n                       6. Process for the timely and secure installation of software patches.\n\n\n                                                 B-1\n\x0c                    b. The Agency has established and is maintaining a security configuration management\n                    program. However, the Agency needs to make significant improvements as noted below.\n                    c. The Agency has not established a security configuration management program.\n\n                AIX 5.3                         HP-UX11\n                                                                                  USS 1.11\n  3. Identify   AIX 6.1                         iSeries OS5 6\n                                                                                  Windows XP Professional\n  baselines     CA TopSecret 14 GA              Juniper Netscreen 6.1.0r5.0\n                                                                                  Windows Vista Enterprise\n  reviewed:     Checkpoint R70.1                Oracle DB 11.1.0.7.3\n                                                                                  Windows Server 2000\n                CISCO IOS 12.2                  Sun Solaris 8\n                                                                                  Windows Server 2003\n                CISCO IOS 12.3                  Sun Solaris 9\n                                                                                  z/OS1.11\n                CISCO IOS 12.4                  Sun Solaris 10\nComments: Weaknesses were identified with SSA\xe2\x80\x99s software approval policies, and the Agency has not\nestablished baseline configurations for all environments.\n\nWe also identified network vulnerabilities during penetration testing, which the Agency has taken steps to\nremediate. In addition, we noted a design deficiency in the process to remediate rogue modems connected to\nthe SSA network, and SSA\xe2\x80\x99s penetration testing identified systems/software not included in its inventory.\n                      Section 3: Status of Incident Response & Reporting Program\n                    a. The Agency has established and is maintaining an incident response and reporting\n                    program that is generally consistent with NIST\'s and OMB\'s FISMA requirements.\n                    Although improvement opportunities may have been identified by the OIG, the program\n                    includes the following attributes:\n                \xe2\x88\x9a      1. Documented policies and procedures for responding and reporting to incidents.\n                       2. Comprehensive analysis, validation and documentation of incidents.\n4. Check one:          3. When applicable, reports to US-CERT within established timeframes.\n                       4. When applicable, reports to law enforcement within established timeframes.\n                       5. Responds to and resolves incidents in a timely manner to minimize further damage.\n                    b. The Agency has established and is maintaining an incident response and reporting\n                    program. However, the Agency needs to make significant improvements as noted below.\n                    c. The Agency has not established an incident response and reporting program.\nComments: SSA can improve its incident response and reporting program by establishing additional guidance\non reporting incidents to the OIG and law enforcement.\n                             Section 4: Status of Security Training Program\n                    a. The Agency has established and is maintaining a security training program that is\n                    generally consistent with NIST\'s and OMB\'s FISMA requirements. Although improvement\n                    opportunities may have been identified by the OIG, the program includes the following\n                    attributes:\n                       1. Documented policies and procedures for security awareness training.\n                       2. Documented policies and procedures for specialized training for users with\n                          significant information security responsibilities.\n                \xe2\x88\x9a      3. Appropriate training content based on the organization and roles.\n                       4. Identification and tracking of all employees with login privileges that need security\n5. Check one:\n                          awareness training.\n                       5. Identification and tracking of employees without login privileges that require security\n                          awareness training.\n                       6. Identification and tracking of all employees with significant information security\n                          responsibilities that require specialized training.\n                    b. The Agency has established and is maintaining a security training program. However,\n                    the Agency needs to make significant improvements as noted below.\n                    c. The Agency has not established a security training program.\n\n\n\n\n                                                  B-2\n\x0cComments: SSA should provide additional guidance for determining the training needs for its employees with\nsignificant security responsibilities, require retention of documentation for such training, and establish guidance\nto assess the effectiveness of its security training program.\n                     Section 5: Status of Plans of Actions & Milestones (POA&M) Program\n                       a. The Agency has established and is maintaining a POA&M program that is generally\n                       consistent with NIST\'s and OMB\'s FISMA requirements and tracks and monitors known\n                       information security weaknesses. Although improvement opportunities may have been\n                       identified by the OIG, the program includes the following attributes:\n                          1. Documented policies and procedures for managing all known IT security\n                       weaknesses.\n                 \xe2\x88\x9a        2. Tracks, prioritizes and remediates weaknesses.\n                          3. Ensures remediation plans are effective for correcting weaknesses.\n                          4. Establishes and adheres to reasonable remediation dates.\n6. Check one:\n                          5. Ensures adequate resources are provided for correcting weaknesses.\n                          6. Program officials and contractors report progress on remediation to CIO on a regular\n                             basis, at least quarterly, and the CIO centrally tracks, maintains, and independently\n                             reviews/validates the POAM activities at least quarterly.\n                       b. The Agency has established and is maintaining a POA&M program that tracks and\n                       remediates known information security weaknesses. However, the Agency needs to make\n                       significant improvements as noted below.\n                       c. The Agency has not established a POA&M program.\nComments: We determined that not all POA&Ms were tracked in accordance with SSA\xe2\x80\x99s policy. Furthermore,\nSSA does not allocate resources to individual POA&Ms, rather, all security weaknesses needing resources are\nfunded through its IT planning process. We also noted inconsistencies with POA&M identification and\nremediation dates.\n                                 Section 6: Status of Remote Access Program\n                       a. The Agency has established and is maintaining a remote access program that is\n                       generally consistent with NIST\'s and OMB\'s FISMA requirements. Although improvement\n                       opportunities may have been identified by the OIG, the program includes the following\n                       attributes:\n                          1. Documented policies and procedures for authorizing, monitoring, and controlling all\n                             methods of remote access.\n                          2. Protects against unauthorized connections or subversion of authorized connections.\n                 \xe2\x88\x9a        3. Users are uniquely identified and authenticated for all access.\n                          4. If applicable, multi-factor authentication is required for remote access.\n7. Check one:             5. Authentication mechanisms meet NIST Special Publication 800-63 guidance on\n                             remote electronic authentication, including strength mechanisms.\n                          6. Requires encrypting sensitive files transmitted across public networks or stored on\n                             mobile devices and removable media such as CDs and flash drives.\n                          7. Remote access sessions are timed-out after a maximum of 30 minutes of inactivity\n                             after which re-authentication is required.\n                       b. The Agency has established and is maintaining a remote access program. However,\n                       the Agency needs to make significant improvements as noted below.\n                       c. The Agency has not established a program for providing secure remote access.\nComments: We noted that SSA allowed flexiplace employees to remove personally identifiable information\n(PII) stored on unencrypted CDs. In addition, SSA did not confirm the return of PII after it was taken out of the\noffice. Furthermore, SSA did not always remove PII from computer hard drives before disposal.\n\n\n\n\n                                                    B-3\n\x0c                    Section 7: Status of Account and Identity Management Program\n                    a. The Agency has established and is maintaining an account and identity management\n                    program that is generally consistent with NIST\'s and OMB\'s FISMA requirements and\n                    identifies users and network devices. Although improvement opportunities may have been\n                    identified by the OIG, the program includes the following attributes:\n                       1. Documented policies and procedures for account and identity management.\n                       2. Identifies all users, including federal employees, contractors, and others who access\n                          Agency systems.\n                       3. Identifies when special access requirements (e.g., multi-factor authentication) are\n                \xe2\x88\x9a         necessary.\n                       4. If multi-factor authentication is in use, it is linked to the Agency\'s PIV program.\n8. Check one:          5. Ensures that the users are granted access based on needs and separation of duties\n                          principles.\n                       6. Identifies devices that are attached to the network and distinguishes these devices\n                          from users.\n                       7. Ensures that accounts are terminated or deactivated once access is no longer\n                          required.\n                    b. The Agency has established and is maintaining an account and identity management\n                    program that identifies users and network devices. However, the Agency needs to make\n                    significant improvements as noted below.\n                    c. The Agency has not established an account and identity management program.\nComments: We identified weaknesses with SSA\xe2\x80\x99s process to ensure that accounts are terminated or\ndeactivated once access is no longer required.\n                          Section 8: Status of Continuous Monitoring Program\n                    a. The Agency has established an entity-wide continuous monitoring program that\n                    assesses the security state of information systems that is generally consistent with NIST\'s\n                    and OMB\'s FISMA requirements. Although improvement opportunities may have been\n                    identified by the OIG, the program includes the following attributes:\n                       1. Documented policies and procedures for continuous monitoring.\n                       2. Documented strategy and plans for continuous monitoring, such as vulnerability\n                          scanning, log monitoring, notification of unauthorized devices, sensitive new\n                \xe2\x88\x9a         accounts, etc.\n                       3. Ongoing assessments of selected security controls (system-specific, hybrid, and\n9. Check one:             common) that have been performed based on the approved continuous monitoring\n                          plans.\n                       4. Provides system authorizing officials and other key system officials with security\n                          status reports covering updates to security plans and security assessment reports,\n                          as well as POA&M additions.\n                    b. The Agency has established an entity-wide continuous monitoring program that\n                    assesses the security state of information systems. However, the Agency needs to make\n                    significant improvements as noted below.\n                    c. The Agency has not established a continuous monitoring program.\n\nComments:\n\n                          Section 9: Status of Contingency Planning Program\n                    a. The Agency established and is maintaining an entity-wide business continuity/disaster\n                    recovery program that is generally consistent with NIST\'s and OMB\'s FISMA\n10. Check           requirements. Although improvement opportunities may have been identified by the OIG,\none:            \xe2\x88\x9a   the program includes the following attributes:\n                       1. Documented business continuity and disaster recovery policy providing the authority\n                          and guidance necessary to reduce the impact of a disruptive event or disaster.\n\n\n                                                 B-4\n\x0c                        2. The agency has performed an overall Business Impact Assessment.\n                        3. Development and documentation of division, component, and IT infrastructure\n                           recovery strategies, plans and procedures.\n                        4. Testing of system specific contingency plans.\n                        5. The documented business continuity and disaster recovery plans are ready for\n                           implementation.\n                        6. Development of training, testing, and exercises (TT&E) approaches.\n                        7. Performance of regular ongoing testing or exercising of continuity/disaster recovery\n                           plans to determine effectiveness and to maintain current plans.\n                     b. The Agency has established and is maintaining an entity-wide business\n                     continuity/disaster recovery program. However, the Agency needs to make significant\n                     improvements as noted below.\n                     c. The Agency has not established a business continuity/disaster recovery program.\nComments: Although SSA\xe2\x80\x99s goal to restore primary mission essential functions within 24 hours does not meet\nFederal Continuity Directive 1\xe2\x80\x99s 12-hour requirement, SSA has taken steps to improve its disaster recovery\ncapabilities.\n                  Section 10: Status of Agency Program to Oversee Contractor Systems\n                      a. The Agency has established and maintains a program to oversee systems operated on\n                      its behalf by contractors or other entities. Although improvement opportunities may have\n                      been identified by the OIG, the program includes the following attributes:\n                         1. Documented policies and procedures for information security oversight of systems\n                            operated on the Agency\'s behalf by contractors or other entities the Agency obtains\n                            sufficient assurance that security controls of systems operated by contractors or\n                            others on its behalf are effectively implemented and comply with federal and agency\n                            guidelines.\n                         2. A complete inventory of systems operated on the Agency\'s behalf by contractors or\n                \xe2\x88\x9a           other entities.\n                         3. The inventory identifies interfaces between these systems and Agency-operated\n11. Check\n                            systems.\none:\n                         4. The agency requires agreements (MOUs, Interconnect Service Agreements,\n                            contracts, etc.) for interfaces between these systems and those that is owns and\n                            operates.\n                         5. The inventory, including interfaces, is updated at least annually.\n                         6. Systems that are owned or operated by contractors or entities are subject to and\n                            generally meet NIST and OMB\'s FISMA requirements.\n                      b. The Agency has established and maintains a program to oversee systems operated on\n                      its behalf by contractors or other entities. However, the Agency needs to make significant\n                      improvements as noted below.\n                      c. The Agency does not have a program to oversee systems operated on its behalf by\n                      contractors or other entities.\nComments: SSA\xe2\x80\x99s inventory does not distinguish between Agency systems and systems operated on its\nbehalf by contractors or other entities. In addition, we found one contractor system where SSA did not fully\ncomply with the Federal requirements for contractor systems oversight.\n\n\n\n\n                                                  B-5\n\x0c                                                                                           Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nagencies create protective environments for their information systems. It does so by\ncreating a framework for annual information technology (IT) security reviews,\nvulnerability reporting, and remediation planning, implementation, evaluation, and\ndocumentation. 1 In Fiscal Year (FY) 2005, the Social Security Administration (SSA)\nresolved the long-standing internal controls reportable condition concerning its\nprotection of information. 2 However, during the FY 2009 and 2010 financial statement\naudit, SSA\xe2\x80\x99s management of access to its systems was identified as a significant\ndeficiency. 3 SSA continues to work with us and Grant Thornton LLP to further improve\nthe security and the protection of information and information systems and resolve other\nissues observed during prior FISMA reviews.\n\nIn the FY 2010 FISMA guidance, OMB Memorandum M-10-15, OMB stated that\nagencies need to be able to continuously monitor security-related information from\nacross the enterprise in a manageable and actionable way. 4 To do this, agencies need\nto automate security-related activities, to the extent possible, and acquire tools that\ncorrelate and analyze security-related information. Agencies need to develop\nautomated risk models and apply them to the vulnerabilities and threats identified by\nsecurity management tools. 5 OMB also stated any reporting should be a by-product of\n\n\n1\n    Pub. L. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3544(a)(1), (a)(2), and (b)(1).\n2\n    SSA\xe2\x80\x99s FY 2005 Performance and Accountability Report, page 164.\n3\n  The definition of a significant deficiency for financial statement internal control is provided by the\nStatement on Auditing Standards No. 115 (SAS 115) Communicating Internal Control-Related Matters\nIdentified in an Audit. SAS 115 states a significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. A material weakness is a deficiency, or combination of\ndeficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of\nthe entity\'s financial statements will not be prevented, or detected and corrected on a timely basis. OMB\nprovides the definition of a significant deficiency under FISMA. OMB M-10-15, FY 2010 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy Management,\nApril 21, 2010, page 23 defines a significant deficiency as a weakness in an agency\xe2\x80\x99s overall information\nsystems security program or management control structure, or within one or more information systems\nthat significantly restricts the capability of the agency to carry out its mission or compromises the security\nof its information, information systems, personnel, or other resources, operations, or assets. In this\ncontext, the risk is great enough that the agency head and outside agencies must be notified and\nimmediate or near-immediate corrective action must be taken.\n4\n    OMB Memorandum M-10-15, supra at page 1.\n5\n    Id.\n\n\n                                                        C-1\n\x0cthe agencies\xe2\x80\x99 continuous monitoring programs and security management tool. 6\nAgencies should provide direct feeds from their security management tools to\nCyberScope. For those agencies that do not have this ability, OMB will soon release a\nroadmap that will allow agencies to upload data from security management tools to\nCyberScope. 7\n\nFor FY 2010, FISMA reporting for agencies through CyberScope will follow a three-\ntiered approach: 8\n\n          1. Data feeds directly from security management tools.\n          2. Government-wide benchmarking on security posture.\n          3. Agency-specific interviews.\n\nThis year, OMB instructed the Inspectors General (IG) to focus on their respective\nagency\xe2\x80\x99s management performance, in line with the requirements of FISMA. 9 The IGs\nwere asked to assess agency performance in 10 major FISMA programs10 specified by\nOMB using pre-established key attributes for each program. IGs were also required to\ndetermine areas for significant improvement if any agency programs did not have these\nkey attributes.11 See details in Appendix B.\n\nThis report informs Congress and the public about SSA\xe2\x80\x99s security performance and\nfulfills OMB\'s requirement under FISMA to submit an annual report to Congress. It\nprovides OMB an assessment of SSA\xe2\x80\x99s IT security strengths and weaknesses and a\nplan of action to improve performance. OMB requires that agencies use an automated\ntool, CyberScope, to submit the annual FISMA report.\n\n\n\n\n6\n    OMB Memorandum M-10-15, supra at page 2.\n7\n    Id.\n8\n    OMB Memorandum M-10-15, supra at pages 2-3.\n9\n    OMB M-10-15, supra at page 3.\n10\n     Id.\n11\n  The OMB-specified attributes for each program and the significant improvement examples are posted\non OMB\xe2\x80\x99s CyberScope Website. The agency Chief Information Officers and IGs all report through\nCyberScope.\n\n\n                                                  C-2\n\x0c                                                                                         Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act of 2002 (FISMA) directs each\nagency\xe2\x80\x99s Office of Inspector General (OIG) to perform, or have an independent external\nauditor perform, an annual independent evaluation of the agency\xe2\x80\x99s information security\nprogram and practices, as well as a review of an appropriate subset of agency\nsystems. 1 We contracted with Grant Thornton LLP (GT) to audit the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2010 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the GT financial statement audit contract.\nThis evaluation included Federal Information System Controls Audit Manual (FISCAM)\nlevel reviews of SSA\xe2\x80\x99s financial related information systems. GT performed an \xe2\x80\x9cagreed-\nupon procedures\xe2\x80\x9d engagement using FISMA, Office of Management and Budget (OMB)\nMemorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, National Institute of\nStandards and Technology guidance, FISCAM, and other relevant security laws and\nregulations as a framework to complete the OIG-required review of SSA\xe2\x80\x99s information\nsecurity program and practices and its information systems.\n\nThe results of our FISMA evaluation are based on our FY 2010 financial statement audit\nand working papers related to its agreed-upon procedures engagement as well as\nvarious audits and evaluations performed by this office and other entities. We also\nreviewed the final draft of the Chief Information Officer 2010 Annual FISMA Report.\n\nOur evaluation followed OMB\xe2\x80\x99s FY2010 FISMA guidance and focused on the following\nSSA programs: Certification and Accreditation, Configuration Management, Security\nIncident Management, Security Training, Remediation/ Plans of Action and Milestones,\nRemote Access, Identity Management, Continuous Monitoring, Contract Oversight and\nContingency Planning.\n\nWe performed field work at SSA facilities nationwide from March to November 2010.\nWe considered the results of other OIG audits performed in FY 2010. We conducted\nthis performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, section 301(b), 44 U.S.C \xc2\xa7 3545 (a)(1), (a)(2), and (b)(1).\n\x0c                                                                         Appendix E\n\nThe Social Security Administration\xe2\x80\x99s Certified and\nAccredited Systems\n                              System                                         Acronym\n                       General Support Systems\n1    Audit Trail System                                           ATS\n\n2    Comprehensive Integrity Review Process                       CIRP\n\n3    Death Alert, Control and Update System                       DACUS\n\n4    Debt Management System                                       DMS\n     Enterprise Wide Mainframe & Distributed Network\n5                                                                 EWANS\n     Telecommunications Services System\n6    FALCON Data Entry System                                     FALCON\n\n7    Human Resources Management Information System                HRMIS\n\n8    Integrated Client Database                                   ICDB\n\n9    Integrated Disability Management System                      IDMS\n\n10   Quality System                                               QA\n\n11   Security Management Access Control System                    SMACS\n\n12   Social Security Online Accounting & Reporting System         SSOARS\n\n13   Security Unified Measurement System                          SUMS\n\n                          Major Applications\n1    Electronic Disability System                                 eDib\n2    Earnings Record Maintenance System                           ERMS\n\n3    National Investigative Case Management System                NICMS\n\n4    Recovery of Overpayments, Accounting and Reporting System    ROAR\n     Retirement, Survivors, & Disability Insurance Accounting\n5                                                                 RSDI ACCTNG\n     System\n6    Supplemental Security Income Record Maintenance System       SSIRMS\n\n7    Social Security Number Establishment and Correction System   SSNECS\n8    Title II System                                              Title II\n\x0c                                                                      Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n   Grace Chi, Acting Audit Manager\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Tina Nevels, Auditor\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our Website\nat www.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-10-20109.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'